Internet security: Let’s keep this between us

TWENTY years ago Phil Zimmermann released encryption software called Pretty Good Privacy (PGP). His aim was to offer free tools to help human-rights advocates exchange data securely. The program was better than pretty good; it fell afoul of munitions export rules of the day that classified sufficiently strong scrambling as a weapon, leading to a three-year investigation by American authorities. Charges were never filed, however, and PGP popularised the use of public-key cryptography to allow parties who may never have met to communicate without fear of snooping.
Silent Circle, Mr Zimmermann’s latest firm, which he founded with a former Navy SEAL, extends privacy protection to voice and video calls, and instant and text messaging, as well as e-mail. On October 16th the company unveiled its software for the iPhone and other iOS devices that, for $20 a month, handles encrypted chat and voice over internet protocol (VoIP) calls. A version for Android is coming soon.
The software uses a protocol called ZRTP developed by Mr Zimmermann and two colleagues in 2006 (one of them, Jon Callas, has joined Silent Circle). ZRTP is a “real-time transport protocol”, which can handle streaming audio and video as it is produced. It relies on several well-known standards for encryption and voice communication with a twist to keep out nosey parkers. Secure communications requires that both parties obtain the same encryption key. These are simple to create and exchange between two or more parties. ZRTP uses a well-established method called the Diffie-Hellman algorithm to do this.
But while Diffie-Hellman can pass a key to multiple people securely, it cannot determine whether those people are the intended recipients. If the key is unwittingly passed instead to an eavesdropper, the communications are compromised, leaving the intended interlocutors none the wiser. To prevent interception, Alice and Bob, as interlocutors are dubbed in cryptographic parlance, have to confirm not just that they have any encryption key, but that they share the same key. Mathematically, this is trivial. The rub is how Alice and Bob talk to each other without using the very communications channel that has yet to be verified as kosher.
In PGP, Mr Zimmermann solved this by using public-key cryptography, which uses a pair of private and public keys to handle encryption. The public key is freely published and distributed online, and verified by other trusted parties. A PGP-protected document would contain an encryption key unique to the document that scrambled the file’s contents. That document key is itself enciphered using recipient’s public key. Only an intended party with the corresponding private key could extract the document’s secret and decrypt it.
That may be straightforward for expert cryptographers, but not for the vast majority of internet users. So ZRTP takes a different tack. It relies on the fact that it is difficult to impersonate a voice. After a voice call is initiated with Silent Circle’s VoIP software, the two users are both presented with the same short number. At any point in the call, they can read this number to the other person to ensure it matches. If it doesn’t, an eavesdropper might be listening in.
Mr Zimmermann notes that by “dragging a couple of human brains into the protocol”, Silent Circle makes it impossible for an interloper to predict when the people in a conversation will perform the verification step or how they will perform it, and so pre-arrange a convincing impersonation. (Video chats in Silent Circle will show a blank screen until the short code is verified, and the text messaging app shows the code and suggests making a brief phone call to verify it.)
At the end of each session, the shared key is destroyed, which prevents a snooper from recording the scrambled data and attempting to recover the key from either party later. Before digitally erasing the key, however, ZRTP creates an irreversible mathematical derivative called a hash using the same process on both parties’ computers or smartphones. The next session between those two people exchanges a fresh encryption key, and uses that previously calculated hash as verification of their respective identities. If a hash is recovered by a cracker, that must be used to intercept the very next session’s key, or it becomes stale and useless. (This is known as perfect forward security: there’s no way to rewind to retrieve older keys.)
Mr Zimmermann calls his firm’s approach “curated crypto” where a user trusts the firm making the software to adopt encryption infrastructure without possessing any of the user’s keys. That stands in contrast to the secured voice, video and chat system at Microsoft’s Skype, which uses security certificates managed by Skype which may, some cryptographers claim, allow interception or later playback. Microsoft denies this but the fact that Skype has not fully disclosed its inner workings or allowed an independent security audit in years worries many privacy advocates. Silent Circle, by contrast, uses well-known algorithms and will publish its source code for review (though it retains copyright over its unique portions and does not license re-use). As a result, users are free to verify, then trust.